Risk scoring
About risk scoring
Devo Behavior analytics provides risk scores at two different levels:
Alert Technique Risk Score: a measure of risk for the specific MITRE ATT&CK technique that the alert is associated with on a scale from 0 to 100.
Entity Risk Score: a calculated risk score that takes into account all of the alerts and behavior deviations for an entity on scale from 0 to 100
Alert Risk Score
The Alert Technique Risk Score (TRS) is the out-of-the-box alert risk score framework that dictates the risk contribution of a specific alert or behavioral deviation. The TRS is determined by the Devo SciSec threat research team based on research conducted around common attack patterns for MITRE ATT&CK techniques. Through the research each technique has its technique awareness, cut vertex to other techniques, technique closeness, and technique actionability evaluated to determine the risk score. The Alert Technique Risk Score represents the default model of alert risk within Devo today and is available for all SecOps alerts out of the box. TRS is additionally modulated by the priority set with an alert to drive higher risk for what an organization says is higher priority for their environment.
To take advantage of the Alert Technique Risk Score in a custom alert, you must include both the MITRE ATT&CK Technique ID and alert priority. Both of these values are used in the risk processor to calculate risk associated with an entity. To take advantage of the out-of-the-box risk score framework you can use the example alert LINQ provided below:
select "T1548" as mitreTechniqueId
Select “4” as alertPriority
Alternatively if you would like to set your own risk score for your alerts on a scale from 0 to 100, you can add the risk score as a value directly in the alert LINQ. An example of this can be seen below:
select 50 as risk
If there is no risk score associated with an alert then a default risk score of 35 will be used if there is an entity mapped within the alert. The entity mapping at the bottom of the page must be present in order to make use of the default risk score.
If no values for technique ID, risk, or entity are listed in the alert then the alert will be ignored by the risk calculation process.
If you want to exclude an alert from the risk calculation since it alerts on data with the entity.behavior.risk.events
table then add [select "Risk" as alertType] to the alert and it will be excluded. The risk alert type avoids positive feedback loops of entity risk over time:
select “Risk” as alertType
Entity Risk Score
On top of the risk score configuration, you must add SecOps alert entities to you alerts. These help associate the alerting TRS data to the specific entity and calculate the Entity Risk Score.
select userIdentity_arn as entity_sourceName
select userIdentity_accountId as entity_sourceAccount
select sourceIPAddress as entity_sourceIP
Once the Alert TRS or custom risk scores are configured within a Devo domain’s alerts and behavioral detections, risk can now accumulate on specific entities within the domain that are associated with those alerts and behavioral signals. The Entity Risk Score (ERS) is calculated from all the alerts and behavior signals within the domains over the last 7 days and aggregates the risk contribution from each of them on the specific entities involved. From there the aggregate risk score is normalized against all entities within the domain, which results in the final ERS.
The ERS calculation is done using a risk processor that is enabled within a Devo domain and calculates risk every hour on alerts and behavioral signals that have occurred over the last 7 days from the time that it was run. The ERS is output every hour into the entity.behavior.risk.events
table and can be viewed via data search within a Devo domain.
The ERS score is what is displayed around an entity through the Devo Behavior Analytics application and is used to help identify users, devices, and domains that are suspicious. The Alert TRS or customized risk score is displayed within the entity's alert history view to give context as to how much risk an individual alert or behavioral deviation contributed to the ERS.
In order to identify entities within your alerts and map them to users, devices, and/or domains, use the following mapping cheatsheet to do so:
Users
-entity_sourceName
-entity_destinationName
-entity_sourceAccount
-entity_destinationAccount
-entity_sourceEmail
-entity_destinationEmail
Device
-entity_sourceIP
-entity_destinationIP
-entity_sourceHostname
-entity_destinationHostname
Domain
-entity_sourceDomain
-entity_destinationDomain
-entity_sourceUrl
-entity_destinationUrl
The above mapping allows the risk processor to identify the entities within the alerts to calculate the risk and then appropriately map them to the display in the application.
entity.behavior.risk.events overview
entity
: Name of entitytotal_risk
: Culmunative (sum) risk scorerelated
: All related entities observedlast_risk
: Time of the most recent alert/anomaly signal observedalert_metrics_secops
: Total number of observed SecOps alertsalert_metrics_ueba
: Total number of observed anomaly signalspriority_metrics_high
: Total number of observed SecOps alerts that were of severity "High"priority_metrics_critical
: Total number of observed SecOps alerts that were of severity "Critical"entity_risk
: Normalized risk score for this entity's typeentity_type
: Type of entityglobal_risk
: Normalized risk score for all entitiesunique_alerts
: Unique or distinct number of alerts observedunique_techiniques
: Unique or distinct number of Mitre techniques observedunique_tactics
: Unique or distinct number of Mitre tactics observed